datadriven — 2013-04-27T10:58:08-04:00 — #1
Just discoverd that emails on a certain domain (one of several domains on same account) has had about 500 emails added to the account, without my interaction.
Is there any way this can be done besides going through the cpanel platform itself - that is, by root priviledges?
I haven't run through all the pages of emails that were added but my single email account that I use with this domain - appears to have been removed? Wouldn't removal of an email account have to be done through cpanel access?
Could the host server have been hacked seperately with the names added? I have been sending emails via outlook express on my local machine however even if the password was comprised in this way it doesn't explain gaining the rights to add email names to my account.
Is there any oblgation on the part of the host to inform users when systems have been compromised (silly question - infers responsibility?)
dklynn — 2013-04-28T07:02:57-04:00 — #2
It's pretty clear that you've been hacked. However, not enough information was provided for us to get a hint at the attack vector. Therefore, my standard list applies:
[indent]1. Immediatly delete all FTP access except one (master for the account).
Change the master password (cPanel and FTP) to a VERY STRONG one using an http://strongpasswordgenerator.com password of sufficient length.
Use maldet scans (on an Apache server) which find and report all forms of malware (viruses, worms and SCRIPTS which can cause problems). This will enable you to find and remove scripts which can be embedded in html, php and js scripts. Repeat the maldet scans until there are no files detected then add a CRON to run maldet scans on a regular basis. Be aware that recovery will primarily consist of DELETING all html, php and js files and replacing them with originals (from your master copies).
Additionally, I use a script (via CRON) to verify that files have remain unchanged over the last xx hours for "peace of mind."
Database: If you are running WordPress or the like (database verification for admin accounts), create a new admin and delete all other admin records.
Update all "canned scripts" (e.g., WP, Zencart, etc.) and be sure that they're kept updated in order to prevent further attacks via security problems discovered in those scripts. This includes their third party plug-ins, too.
Uploaded files: Be sure to do a thorough check of any file uploaded to your website (I limit uploaded files to images and they are resized by GD before being saved to my "webspace").[/indent]
Be paranoid. You may get tired of jumping through hoops to keep your website safe but it's far easier than repairing a hacked website (and it'll be without the damage to your reputation as a webmaster).
datadriven — 2013-04-28T12:17:19-04:00 — #3
Would add to that, Host Access Control to restict access by ip to cpanel, FTP accounts, email accounts, etc, where feasible.
My opinion is this will block out most attempts.
dklynn — 2013-04-28T18:46:41-04:00 — #4
From my own account (dedi at WebHostingBuzz), that appears to be a feature of cPanel (recent update - 3-6 months ago). My cPanel looks at both my cookies AND IP address and, if something appears amiss, it'll ask three of my six (?) security questions before allowing access to cPanel. Is it any wonder I require cPanel/WHM and praise WebHostingBuzz for keeping cPanel updated?
Using ultra-strong passwords (strongpasswordgenerator.com) will take care of FTP (if you only allow your own account) and e-mail access.
Ditto maldet scanning!